September 30, 2011

Trust exercise

When do we need our identity to be authenticated? Who should provide the service? Whom do we trust? And, to make it sustainable, what is the business model?

These questions have been debated ever since the early 1990s, when the Internet and the technology needed to enable the widespread use of strong cryptography arrived more or less simultaneously. Answering them is a genuinely hard problem (or it wouldn't be taking so long).

A key principle that emerged from the crypto-dominated discussions of the mid-1990s is that authentication mechanisms should be role-based and limited by "need to know"; information would be selectively unlocked and in the user's control. The policeman stopping my car at night needs to check my blood alcohol level and the validity of my driver's license, car registration, and insurance - but does not need to know where I live unless I'm in violation of one of those rules. Cryptography, properly deployed, can be used to protect my information, authenticate the policeman, and then authenticate the violation result that unlocks more data.

Today's stored-value cards - London's Oyster travel card, or Starbucks' payment/wifi cards - when used anonymously do capture some of what the crypto folks had in mind. But the crypto folks also imagined that anonymous digital cash or identification systems could be supported by selling standalone products people installed. This turned out to be wholly wrong: many tried, all failed. Which leads to today, where banks, telcos, and technology companies are all trying to figure out who can win the pool by becoming the gatekeeper - our proxy. We want convenience, security, and privacy, probably in that order; they want security and market acceptance, also probably in that order.

The assumption is we'll need that proxy because large institutions - banks, governments, companies - are still hung up on identity. So although the question should be whom do we - consumers and citizens - trust, the question that ultimately matters is whom do *they* trust? We know they don't trust *us*. So will it be mobile phones, those handy devices in everyone's pockets that are online all the time? Banks? Technology companies? Google has launched Google Wallet, and Facebook has grand aspirations for its single sign-on.

The government representatives who attended Privacy International's 1997 Scrambling for Safety meeting assumed that people trusted banks and that therefore they should be the Trusted Third Parties providing key escrow. Brilliant! It was instantly clear that the people who attended those meetings didn't trust their banks as much as all that.

As long as we equate "identity" with "a person's name" we're in the same kind of trouble the travel security agencies are when they try to predict who will become a terrorist on a particular flight. Like the browser fingerprint, we are more uniquely identifiable by the collection of our behaviors than we are by our names, as detectives who search for missing persons know. The target changes his name, his jobs, his home, and his wife - but if his obsession is chasing after trout he's still got a fishing license. Even if a link between a Starbucks card and its holder's real-world name is never formed, the more data the card's use enters into the system the more clearly recognizable as an individual he will be. The exact tag really doesn't matter in terms of understanding his established identity.

What I like about Deane-Johns' idea -

the solution has to involve the capability to generate a unique and momentary proof of identity by reference to a broad array of data generated by our own activity, on the fly, which is then useless and can be safely discarded"

is two things. First, it has potential as a way to make impersonation and identity fraud much harder. Second is that implicit in it is the possibility of two-way authentication, something we've clearly needed for years. Every large organization still behaves as though its identity is beyond question whereas we - consumers, citizens, employees - need to be thoroughly checked. Any identity infrastructure that is going to be robust in the future must be built on the understanding that with today's technology anyone and anything can be impersonated.

As an aside, it was remarkable how many people at this week's meeting were more concerned about having their Gmail accounts hacked than their bank accounts. My reasoning is that the stakes are higher: I'd rather lose my email reputation than my house.. Their reasoning is that the banking industry is more responsive to customer problems than technology companies. That truly represents a shift from 1997, when technology companies were smaller and more responsive.

September 23, 2011

Your grandmother's phone

In my early 20s I had a friend who was an expert at driving cars with...let's call them quirks. If he had to turn the steering wheel 15 degrees to the right to keep the car going straight while peering between smears left by the windshield wipers and pressing just the exact right amount on the brake pedal, no problem. This is the beauty of humans: we are adaptable. That characteristic has made us the dominant species on the planet, since we can adapt to changes of habitat, food sources, climate (within reason), and cohorts. We also adapt to our tools, which is why technology designers get away with flaws like the iPhone's "death grip". We don't like it - but we can deal with it.

At least, we can deal with it when we know what's going on. At this week's Senior Market Mobile, the image that stuck in everyone's mind came early in the day, when Cambridge researchers Ian Hosking and Mike Bradley played a video clip of a 78-year-old woman trying to figure out how to get past an iPad's locked screen. Was it her fault that it seemed logical to her to hold it in one hand while jabbing at it in frustration? As Donald Norman wrote 20 years ago, for an interface to be intuitive it has to match the user's mental model of how it works.

That 78-year-old's difficulties, when compared with the glowing story of the 100-year-old who bonded instantly with her iPad, make another point: age is only one aspect of a person's existence - and one whose relevance they may reject. If you're having trouble reading small type or remembering the menu layout, pushing the buttons, or hearing a phone call what matters isn't that you're old but that you have vision impairment, cognitive difficulties, less dextrous fingers, or hearing loss. You don't have to be old to have any of those things - and not all old people have them.

For those reasons, the design decisions intended to aid seniors - who, my God, are defined as anyone over 55! - aid many other people too. All of these points were made with clarity by Mark Beasley, whose company specializes in marketing to seniors - you know, people who, unlike predominantly 30-something designers and marketers, don't think they're old and who resent being lumped together with a load of others with very different needs on the basis of age. And who think it's not uncool to be over 50. (How ironic, considering that when the Baby Boomers were 18 they minted the slogan, "Never trust anyone over 30.")

Besides physical attributes and capabilities, cultural aspects matter more in a target audience's than their age per se. We who learned to type on manual typewriters bash keyboards a lot harder than those who grew up with computers. Those who grew up with the phone grudgingly sited in the hallway, using it only for the briefest of conversations are less likely to be geared toward settling in for a long, loud intimate conversation on a public street.

Last year at this event, Mobile Industry Review editor Ewan McLeod lambasted the industry because even the iPhone did not effectively serve his parents' greatest need: an easy way to receive and enjoy pictures of their grandkids. This year, Stuart Arnott showed off a partial answer, Mindings, a free app for Android tablets that turns them into smart display frames. You can send them pictures or text messages or, in Arnott's example, a reminder to take medication that, when acknowledged by a touch goes on to display the picture or message the owner really wants to see.

Another project in progress, Threedom is an attempt to create an Android design with only three buttons that uses big icons and type to provide all the same functionality but very simply.

The problem with all of this - which Arnott seems to have grasped with Mindings - is that so much of these discussions focus on the mobile phone as a device in isolation. But that's not really learning the lesson of the iPod/iPhone/iPad, which is that what matters is the ecology surrounding the device. It is true that a proportion of today's elderly do not use computers or understand why they suddenly need a mobile phone. But tomorrow's elderly will be radically different. Depending on class and profession, people who are 60 now are likely to have spent many years of his working life using computers and mobile phones. When they reach 86, what will dictate their choice of phone will be only partly whatever impairments age may bring. A much bigger issue is going to be the legacy and other systems that the phone has to work with: implantable electronic medical devices, smart electrical meters, ancient software in use because it's familiar (and has too much data locked inside it), maybe even that smart house they keep telling us we're going to have one of these days. Those phones are going to have to do a lot more than just make it easy to call your son.

September 16, 2011

The world at ten

Like Meetup.org, net.wars-the-column is to some extent a child of 9/11 (the column was preceded by the book. four years of near-weekly news analysis pieces for the Daily Telegraph, and a sequel book, From Anarchy to Power: the Net Comes of Age). On November 2, 2011 the column will be ten years old, its creation sparked by a burst of frustrated anger when then foreign minister Jack Straw wagged a post-9/11 finger at those who had opposed his plans to restrict the use of strong encryption and implement key escrow in the mid 1990s when he was at the Home Office and blamed us.

Ten years on, we can revisit his claim. We now know, for example, that when Osama bin Laden wanted to hide, he didn't use cryptography to cloak his whereabouts. Instead, the reason his safe house stood out from those around it was that it was a technological black spot: "no phones, no broadband. In other words, bin Laden feared the power of technology as much as Straw and his cohorts: both feared it would empower their enemies. That paranoia was justified - but backfired spectacularly.

In our own case, it's clear that "the terrorists" have scored a substantial amount of victory. We - the US, the UK, Europe - would have had some kind of recession anyway, given the rapacious and unregulated behavior of banks and brokers leading up to 2008 - but we would have been much better placed to cope with it if we - the US - hadn't been simultaneously throwing $1.29 trillion at invading Iraq and Afghanistan. If you include medical and disability care for current and future veterans, according to the Eisenhower Research Project at Brown University that number rises to as much as $4 trillion.

But more than that, as Ryan Singel writes US-specifically at Wired, the West has built up a gigantic and expensive inward-turned surveillance infrastructure that is unlikely to be dismantled when or if the threat it was built to control goes away. In the last ten years, countless hundreds of millions of dollars and countless million of hours of lost productivity have been spent on airport security when, as Bruce Schneier frequently writes, the only two changes that have made a significant difference to air travel safety have been reinforcing the cockpit doors and teaching passengers to fight back. The Department of Homeland Security's budget for its 2011 financial year is $56.3 billion (PDF) - which includes $214.7 million for airport scanners and another $218.9 million for people to staff them (so much for automation).

The UK in particular has spent much of the last ten years building the database state, creating dozens of large databases aimed at tracking various portions of society through various parts of their lives. Some of this has been dismantled by the coalition, but not all. The most visible part of the ID card is gone - but the key element was always the database of the nation's residents, and as data-sharing between government departments becomes ever easier, the equivalent may be built in practice rather than by explicit plan. In every Western country CCTV cameras are proliferating, as are surveillance-by-design policies such as data retention, built-in wiretapping, and widespread filtering. Every time a new system is built - the London congestion charge, for example, or the mooted smart road pricing systems - there are choices that would allow privacy to be built in. And so far, each time those choices are not taken.

But if the policies aimed at our ourselves are misguided, as net.wars has frequently argued, the same is true of the policies we have directed at others. As part of the British Science Festival, Paul Rogers, a researcher with the Oxford Group, presented A War Gone Badly Wrong - The War on Terror Ten Years On, looking back at the aftermath of the attacks rather than the attacks themselves; the Brown research shows that in the various post-9/11 military actions 80 people have died for every 9/11 victim. Like millions of others who were ignored, the Oxford Research Group opposed the war at the time.

"The whole approach was a mistake." he told the press last Friday, arguing that the US should instead have called it an act of international criminality and sworn to work with everyone to bring the criminals to justice. "The US would have had worldwide support for that kind of action that it did not have for Afghanistan - or, especially, Iraq." He added, "If they had treated al-Qaeda as a common, bitter, vicious criminal movement, not a brave, religious movement worthy of fighting, that degrades it."

What he hopes his research will lead to now is "a really serious understanding of what wrong, and the risks of early recourse to early military responses." And, he added, "sustainable security" that focuses on conflict prevention. "Why it's important to look at the experience of the war on terror is to discern and learn those lessons."

They say that a conservative is a liberal who's been mugged. By analogy, it seems that a surveillance state is a democracy that's been attacked.

At stake is the extension of copyright in sound recordings from 50 years to 70, something the Open Rights Group has been fighting since it was born. The push to extend it above 50 years has been with us for at least five years; originally the proposal was to take it to 95 years. An extension from 50 to 70 years is modest by comparison, but given the way these things have been going over the last 50 years, that would buy the recording industry 20 years in which to lobby for the 95 years they originally wanted, and then 25 years to lobby for the line to be moved further. Why now? A great tranche of commercially popular recordings is up for entry into the public domain: Elvis Presley's earliest recordings date to 1956, and The Beatles' first album came out in 1963; their first singles are 50 years old this year. It's not long after that to all the great rock records of the 1970s.

My fellow Open Rights Group advisory council member Paul Sanders, has up a concise little analysis about what's wrong here. Basically, it's never jam today for the artists, but jam yesterday, today, and tomorrow for the recording companies. I have commented frequently on the fact that the more record companies are able to make nearly pure profit on their back catalogues whose sunk costs have long ago been paid, the more new, young artists are required to compete for their attention with an ever-expanding back catalogue. I like Sanders' language on this: "redistributive, from younger artists to older and dead ones".

In recent years, we've heard a lof of the mantra "evidence-based policy" from the UK government. So, in the interests of ensuring this evidence-based policy the UK government is so keen on, here is some. The good news is they commissioned it themselves, so it ought to carry a lot of weight with them. Right? Right.

There have been two major British government reports studying the future of copyright and intellectual property law generally in the last five years: the Gowers Review, published in 2006, and the Hargreaves report was commissioned in November 2010 and released in May 2011.

From Hargreaves:

Economic evidence is clear that the likely deadweight loss to the economy exceeds any additional incentivising effect which might result from the extension of copyright term beyond its present levels.14 This is doubly clear for retrospective extension to copyright term, given the impossibility of incentivising the creation of already existing works, or work from artists already dead.

Despite this, there are frequent proposals to increase term, such as the current proposal to extend protection for sound recordings in Europe from 50 to 70 or even 95 years. The UK Government assessment found it to be economically detrimental. An international study found term extension to have no impact on output.

And further:

Such an extension was opposed by the Gowers Review and by published studies commissioned by the European Commission.

Ah, yes, Gowers and its 54 recommendations, many or most of which have been largely ignored. (Government policy seems to have embraced "strengthening of IP rights, whether through clamping down on piracy" to the exclusion of things like "improving the balance and flexibility of IP rights to allow individuals, businesses, and institutions to use content in ways consistent with the digital age".

To Gowers:

Recommendation 3: The European Commission should retain the length of protection on sound recordings and performers' rights at 50 years.

And:

Recommendation 4: Policy makers should adopt the principle that the term and scope of protection for IP rights should not be altered retrospectively.

I'd use the word "retroactive", myself, but the point is the same. Copyright is a contract with society: you get the right to exploit your intellectual property for some number of years, and in return after that number of years your work belongs to the society whose culture helped produce it. Trying to change an agreed contract retroactively usually requires you to show that the contract was not concluded in good faith, or that someone is in breach. Neither of those situations applies here, and I don't think these large companies with their in-house lawyers, many of whom participated in drafting prior copyright law, can realistically argue that they didn't understand the provisions. Of course, this recommendation cuts both ways: if we can't put Elvis's earliest recordings back into copyright, thereby robbing the public domain, we also can't shorten the copyright protection that applies to recordings created with the promise of 50 years' worth of protection.

This whole mess is a fine example of policy laundering: shopping the thing around until you either wear out the opposition or find sufficient champions. The EU, with its Hampton Court maze of interrelated institutions, could have been deliberately designed to facilitate this. You can write to your MP, or even your MEP - but the sad fact is that the shiny, new EU government is doing all this in old-style backroom deals.

September 2, 2011

White rabbits

I feel like I am watching magicians holding black top hats. They do...you're not sure what...to a mess of hexagonal output on the projection screen so comprehensible words appear...and people laugh. And then some command line screens flash in and out before your eyes and something absurd and out-of-place appears, like the Windows calculator, and everyone applauds. I am at 44con, a less-crazed London offshoot of the Defcon-style mix of security and hacking. Although, this being Britain, they're pushing the sponsored beer.

In this way we move through exploits: iOS, Windows Phone 7, and SAP, whose protocols are pulled apart by Sensepost's Ian de Villiers. And after that Trusteer Rapport, which seems to be favored by banks and other financial services, and disliked by everyone else. All these talks leave a slightly bruised feeling, not so much like you'd do better to eschew all electronics and move to a hut on a deserted beach without a phone as that even if you did that you'd be vulnerable to other people's decisions. While exploring the inner workings of USB flash drives (PDF), for example, Phil Polstra noted in passing that the Windows Registry logs every single time you insert one. I knew my computer tracked me, but I didn't quite realize the full extent.

The bit of magic that most clearly makes this point is Maltego. This demonstration displays neither hexagonal code nor the Windows calculator, but rolls everything privacy advocates have warned about for years into one juice tool that all the journalists present immediately start begging for. (This is not a phone hacking joke; this stuff could save acres of investigative time.) It's a form of search that turns a person or event into a colorful display of whirling dots (hits) that resolve into clusters. Its keeper, Roelof Temmingh, uses a mix of domain names, IP addresses, and geolocation to discover the Web sites White House users like to visit and tweets from the NSA parking lot. Version 4 - the first version of the software dates to 2007 - moves into real-time data mining.

Later, I ask a lawyers with a full, licensed copy to show me an ego search. We lack the time to finish, but our slower pace and diminished slickness make it plain that this software takes time and study to learn to drive. This is partly comforting: it means that the only people who can use it to do the full spy caper are professionals, rather than amateurs. Of course, those are the people who will also have - or be able to command - access to private databases that are closed to the rest of us, such as the utility companies' electronic customer records, which, when plugged in can link cyberworld and real world identities. "A one-click stalking machine," Temmingh calls it.

As if your mobile phone - camera, microphone, geolocation, email, and Web browsing history - weren't enough. One attendee tells me seriously that he would indeed go to jail for two years rather than give up his phone's password, even if compelled under the Regulation of Investigatory Powers Act. Even if your parents are sick and need you to take care of them? I ask. He seems to feel I'm unfairly moving the bar.

Earlier the current mantra that every Web site should offer secure HTTP came under fire. IOActive's Vincent Berg showed off how to figure out which grid tile of Google Maps and which Wikipedia pages someone has been looking at despite the connection's being carred over SSL. The basis of this is our old friend traffic analysis. It's not a great investigative tool because, as Berg himself points out, there would be many false positives, but side-channel leaks in Web pages are still a coming challenge (PDF). SSL has its well-documented problems, but "At some point the industry will get it right." We can but hope.

It was left to Alex Conran, whose TV program The Real Hustle starts its tenth season on BBC Three on Monday, to wind things up by reminding us that the most enduring hacks are the human ones. Conran says that after perpetrating more than 500 scams on an unsuspecting public (and debunking them afterwards), he has concluded that just as Western music relies on endless permutations of the same seven notes, scams rely on variations on the same five elements. They will sound familiar to anyone who's read The Skeptic over the last 24 years.

The five: misdirection, social compliance, the love of a special deal, time pressure, social proof (or reenforcement). "Con men are the hackers of human nature", Conran said, but noted that part of the point of his show is that if you educate people what the risks are they will take the necessary steps to protect themselves. And then dispensed this piece of advice: if you want to control the world, buy a hi-vis jacket. They're cheap, and when you're wearing one, apparently anyone you meet will do anything you tell them without question. No magic necessary.